Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • Development
    • Networking

    Malware Kits Use Pseudo-Random Domain Generation to Thwart Security Fixes

    By
    Brian Prince
    -
    June 28, 2012
    Share
    Facebook
    Twitter
    Linkedin

      Exploit kits are adopting a tactic more commonly found in botnet malware to make their attack campaigns more resilient€“€œpseudo-random domain generation.€

      Among the kits being associated with this activity is Blackhole, which has emerged as one of the most prevalent exploit kits in the wild. In a recent report, anti-malware technology company M86 Security said the Blackhole kit was responsible for 95 percent of all the malicious URLs it detected in the second half of 2011. In February, the kit was used to infect whistle-blower site Cryptome.

      According to Symantec, Blackhole has now been observed utilizing pseudo-random domain generation to make attacks more persistent. The technique is commonly used by botnets to thwart efforts to disrupt their command and control (C&C) operations by generating new domain names for the malware to contact in case the C&C server is taken offline.

      According to Symantec, Blackhole has now taken a page from botnet operators.

      “When an innocent user browses to a Blackhole-infected site, their browser runs the JavaScript code, which typically creates a hidden iframe, which silently exploits vulnerable browser plug-ins and drops any malware and exploits onto a users system,” explained Symantec researcher Nick Johnston. “It typically targets vulnerable Java, Adobe Flash Player, Adobe Reader, Windows Help Center, and other applications. These attacks are often called drive-by downloads.”

      “Although this approach has generally been very successful for malware authors, it has had one weakness,” he added. “If the location or URL for the iframe, which actually contains the malicious code, changes or is taken down, all of the compromised sites will have to be updated to point to this new location. This process is difficult and impractical.”

      To address this issue, the Blackhole JavaScript on compromised sites is now dynamically generating domains based on the date and other information and creating an iframe to point to the new domain.

      “Once the domain has been generated and the iframe has been created, the exploit kit page runs many exploits as normal, going to great lengths to determine, for example, which compromised PDF file to show, depending on the version of Adobe Reader installed,” Johnston blogged.

      But Blackhole is not the only kit to be utilizing these techniques. A researcher at Stopmalvertising.com found the pseudo-random domain generator in an .ASP file and AC_RunActiveContent.js on an infected Website. At first, however, the malicious code redirected the researcher to the RedKit exploit kit. Later, it redirected to Blackhole. The domain generator comes up with a new one every 12 hours, Stopmalvertising.com found.

      “So far we have seen a small but steady stream of compromised domains using this technique,” blogged Johnston. “This suggests that this is perhaps some kind of trial or test that could be expanded in the future.”

      Avatar
      Brian Prince

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×